In computing, “side channel attacks” are a class of techniques used to leak information about a sensitive computation through externally visible side effects of performance of that computation. Through targeted analysis, these externally visible side effects may encode information about a sensitive value. In the context of cryptography, for example, memory access patterns made by privileged software performing a cryptographic operation may vary based on a secret cryptographic key's value. Thus, the latency of subsequent memory operations—which are observable to unprivileged software—may encode information about secret key values used by the privileged software as index into lookup tables or substitution boxes that are common to many cryptographic algorithms. Since side channel attacks have been considered a serious issue for cryptographic software, mitigations have been crafted, such as careful tailoring of cryptographic operations to be constant time with respect to any sensitive key material.
Side channel attacks are also possible within other domains. For example, a “speculative” side channel attack may leak arbitrary sensitive data by utilizing observable side effects resulting from the speculative out-of-order instruction execution designs used by modern high-performance processors. In particular, speculative side channel attacks may leverage timing artifacts of a processor's speculative execution hardware in order to leak secret memory content used by privileged software designed to protect such secret memory content (e.g., an operating system, a hypervisor, etc.).
One example of a speculative side channel includes an instruction execution sequence that speculatively, during an out-of-order instruction execution flow, issues a load from a privileged memory location containing a secret, and then accesses additional unprivileged-accessible cache lines using the contents from the first load as an index. While the computations performed during this speculative execution flow would eventually be rolled back by the out-of-order machine if it is later determined that they were mispredicted, the side effects of these computations (e.g., the cache lines accessed using sensitive memory contents as an index) are still externally visible to unprivileged software by measuring such things as memory latency after any mispredicted instructions have been cancelled.
Various techniques exist for unprivileged software to cause a mispredicted speculative execution flow by privileged software. For example, during execution of privileged software, unprivileged software may cause an out-of-order machine to execute a mispredicted speculative execution flow in the privileged software (e.g., by setting up a branch target buffer with specially-crafted entries), and then observe side-effects of that mispredicted speculative execution flow. Techniques also exist for unprivileged software to extend the length of time for the misprediction to be resolved, thereby increasing the chance that useful data can be leaked from the predicted out-of-order instruction flow is canceled by the out-of-order machine.